Præsentation fra Smarter Business 2012

1. Database Security and Compliance
Ron Ben-Natan, IBM Distinguished Engineer
CTO for Data Security, Compliance and Optimization
© 2012 IBM Corporation

2. Database Security in the Forefront
7 Steps
• Data loss prevention • Hardening
• Compliance requirements • Assessing
• Mature best practices • Classifying
• Monitoring
• Auditing
• Enforcing
• Encrypting
2

3. Which types of information assets are compromised?
3

4. The “Unknown” Factor
4

5. Requirements/Initiatives
Discovery & Classification
SOX
PCI
DPD
Basel II
GLBA
Security ...
Breaches
Sep. of duties
...
Assessing
Scoping
Database Data Auditing
Discovery Classification Scope
&
Technical
Infrastructure Requirements Protecting
Hosts
Databases
Applications
5

6. Example 1 - ANY System Privileges
• Oracle has over 100 system privileges
• Nearly every ANY system privilege can be used by an attacker
to assume DBA privileges:
 EXECUTE ANY PROCEDURE
 There are many procedures within the SYS schema that run with definer rights – so if I can run
them I can assign myself privileges
 exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true);
 exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’);
 exec sys.ltadm.executesql(‘grant dba to ronb’);
 CREATE ANY VIEW
 I’ll create a procedure that gives me DBA privileges running with invoker rights
 I’ll create a view in the SYSTEM schema that will run the procedure
 I’ll convince a DBA to access the view
 CREATE ANY TRIGGER
 I’ll create a procedure that grants me DBA, running with invoker rights
 Pick a user with DBA privileges
 Pick a table within that user schema for which PUBLIC has some privileges (e.g. SELECT)
 I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the procedure
 I’ll access the object (since I’m using a PUBLIC privilege)
 I now have DBA privileges! (the trigger runs as the schema owner)
6

7. Example 2 – UTL_FILE
file_name := utl_file.fopen(<dir>,<file name>, ‘w’);
utl_file.put_line(file_name, ‘abcdefgh’, true);
utl_file.fclose(file_name);
The ability to write files to the OS is a very dangerous thing
 Runs with the database instance owner privileges
 Can be used to delete audit files
 Can be used to delete or corrupt a data file – including the SYSTEM tablespace
 Can use it to change config files
 Can use it to write a .rhosts file to allow access to the OS
 Can use it to write to .cshrc or .login for the oracle OS account
 Can use it to write a login.sql or glogin.sql file to cause a SQL command to be
called with privileges of a DBA
7

8. Assessing & Securing
Assessing
Vulnerability
Assessment
Change
Tracking
Scope
& Configuration
Technical Assessment Security Secure Proven
CAS Config
Requirements Recommendations Configuration
Compliance
Behavioral
Assessment
8

9. Complexity
“Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve
Mission Impossible-like scenarios. Quite the opposite, in fact.”
9

10. Example 3 - Passwords
• Spida –
– Microsoft SQL Server
– Empty sa password
– Xp_cmdshell
– Propagation
– Made it to 4th place in SANS “Top Ten”
• APPS/APPS
weblogic.jdbc.connectionPool.eng= <ias-resources> Provider=SQLOLEDB;
url=jdbc:weblogic:oracle, <jdbc> Data Source=192.168.1.32;
driver=weblogic.jdbc.oci.Driver, <database>ORCL</database> Initial Catalog=Northwind;
loginDelaySecs=2, <datasource>ORCL</datasource> User ID=sa;
initialCapacity=50, <username>scott</username> Password=sapwd;
capacityIncrement=10, <password>tiger</password>
maxCapacity=100, <driver-type>ORACLE_OCI</driver-type>
props=user=scott,password=tiger,server=ORCL </jdbc>
</ias-resources>
10

11. Example 4 - Buffer Overflow Attacks
Sapphire worm/SQL Slammer
“Zero-day attack”
11

12. Monitoring & Auditing
Investigation
Support
Monitoring & Auditing
Data Access
Investigation
Audit
Auditing Trails
Policy
Scope
&
Technical Privileged
Requirements User Application
Monitoring & Monitoring
Auditing
Audit
Compliance
12

13. Compliance – Many Regulations – Internal & External
13

14. Breach Discovery
14

15. 15

16. More Oracle Performance tests
• Sun E6500
• 28 CPUs, 28 GB
• 100 concurrent connections
– Each doing inserts (real application table, with indexes etc.)
– 100 ms delay between each insert
16

17. Before Any Auditing
Throughout – Approximately 19,000 inserts per minute
last pid: 21715; load averages: 7.27, 4.66, 3.41 10:29:02
271 processes: 269 sleeping, 2 on cpu
CPU states: 66.3% idle, 25.3% user, 2.6% kernel, 5.8% iowait, 0.0% swap
Memory: 26G real, 20G free, 4885M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
15044 oracle10 12 49 0 2137M 965M sleep 1:17 0.34% oracle
20904 oracle10 1 59 0 2123M 970M sleep 0:15 0.31% oracle
20773 oracle10 1 39 0 2124M 971M sleep 0:16 0.31% oracle
20932 oracle10 1 59 0 2123M 970M sleep 0:14 0.31% oracle
21008 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle
20946 oracle10 1 59 0 2123M 971M sleep 0:13 0.31% oracle
20789 oracle10 1 59 0 2123M 970M sleep 0:16 0.30% oracle
20873 oracle10 1 59 0 2123M 971M sleep 0:15 0.30% oracle
20958 oracle10 1 54 0 2123M 971M sleep 0:13 0.30% oracle
21004 oracle10 1 59 0 2123M 970M sleep 0:13 0.30% oracle
20795 oracle10 1 59 0 2123M 970M sleep 0:15 0.30% oracle
21002 oracle10 1 59 0 2123M 971M sleep 0:13 0.30% oracle
20867 oracle10 1 53 0 2124M 972M sleep 0:15 0.29% oracle
17

18. Oracle with Standard Auditing
• Throughout – Approximately 13,000 inserts per minute
– 30% drop in throughput
• Load average almost double
last pid: 7622; load averages: 14.51, 9.90, 8.72 11:32:32
271 processes: 269 sleeping, 2 on cpu
CPU states: 28.2% idle, 66.5% user, 3.0% kernel, 2.3% iowait, 0.0% swap
Memory: 26G real, 19G free, 4930M swap in use, 32G swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
4036 oracle10 1 59 0 2124M 1239M sleep 1:13 0.65% oracle
4082 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle
4086 oracle10 1 59 0 2124M 1239M sleep 1:12 0.65% oracle
4055 oracle10 1 55 0 2124M 1239M sleep 1:13 0.64% oracle
4034 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle
4139 oracle10 1 59 0 2124M 1239M sleep 1:12 0.64% oracle
4174 oracle10 1 53 0 2124M 1239M sleep 1:11 0.64% oracle
4162 oracle10 1 59 0 2124M 1239M sleep 1:11 0.64% oracle
3927 oracle10 1 35 0 2124M 1239M sleep 1:09 0.64% oracle
4078 oracle10 1 51 0 2124M 1239M sleep 1:09 0.63% oracle
4010 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle
3947 oracle10 1 59 0 2124M 1239M sleep 1:12 0.61% oracle
3939 oracle10 1 23 0 2124M 1239M sleep 1:13 0.61% oracle
4119 oracle10 1 59 0 2124M 1239M sleep 1:10 0.61% oracle
4020 oracle10 1 41 0 2124M 1239M sleep 1:11 0.60% oracle
18

19. Database Activity Monitoring - DAM
• Other reasons to look beyond native Auditing
– Heterogeneous support
– Easier to deploy and manage
– IPC interception to avoid impact to the database
– Functionality/Maturity
• Security and Auditing
– Assessments
– Policies
– Change management
– Audit (as opposed to auditing)
• Automation
• Compliance packages
– Independence of the audit trail
– Separation of duties
– Allows security functions such as prevention and redaction
19

20. Protecting
Violations &
Incidents
Security Monitoring & Data Protection
Remidiation
Monitoring & Data Access Data Extrusion Privileged
Scope
Anomaly Protecttion Protection User Access
&
Detection Control
Technical
Requirements
Access
Compliance
20

21. IBM Guardium - Addressing the Full Lifecycle
21

22. Scalable Multi-Tier Architecture
IBM System z
Data Center 2
Development, Tes Collector
t & Training
Host-Based Probe Central Policy
(S-TAP) Manager & Audit
Optim Repository
Collector
Data-Level Access Control
(S-GATE)
Data Center 1 Integration with
LDAP/AD, IAM, Change
Management,
SIEM, Archiving, etc.
22
22

23. Thank you!
23